 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows XP / Performance and Maintainance / November 2006UPHClean
I've installed the UPHClean program and no longer get the "Userenv" event on shutdown, though, interestingly, the shutdown time does not seem to have been shortened. What I'd like to know is how to learn what program or application was responsible for the event in the first place. Is this recorded in a "log" somewhere? Look for Event ID: 1201 Event Source: UPHClean in the Event Viewer.  SignatureHope this helps. Let us know. Wes MS-MVP Windows Shell/User > I've installed the UPHClean program and no longer get the "Userenv" event > on shutdown, though, interestingly, the shutdown time does not seem to > have been shortened. > What I'd like to know is how to learn what program or application was > responsible for the event in the first place. Is this recorded in a "log" > somewhere? Hi Wes, No 1201, but here's what I do find, and I wonder if this can "identify" the culprit: Event Type: Information Event Source: UPHClean Event Category: None Event ID: 1401 Description: The following handles in user profile hive GATEWAY\Owner (S-1-5-21-1844237615-1801674531-725345543-1003) have been remapped because they were preventing the profile from unloading successfully: svchost.exe (1696) HKCU (0x164) > Look for Event ID: 1201 Event Source: UPHClean in the Event Viewer. > [quoted text clipped - 4 lines] >> responsible for the event in the first place. Is this recorded in a "log" >> somewhere? Apparently you are using handle remapping. 8) If you use handle remapping instead of getting event id 1201 logged you will get event 1401: Event Type: Information Event Source: UPHClean Event Category: None Event ID: 1401 Which processes UPHClean performs handle remapping can specified using the following registry value: HKLM\System\CurrentControlSet\Services\UPHClean\ Parameters\REMAP_HANDLE_PROCESS_LIST The list by default contains '*' which specifies that handle remapping should be performed for all non-excluded processes. This list can be changed to only include specified processes in the same manner as the process exclusion list. Processes specified on this list can be preceeded by a '-' character to specify that they should be excluded from handle remapping. Any handle for a process that is not excluded but has handle remapping turned off will be closed. from... UPHClean v1.6d readme.txt http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075a c/readme.txt You must have a different version of uphclean than I have. I have v1.5e according to my Readme. The Readme that came with my version does not list Event ID: 1401 or mention handle remapping. Read through your Readme, either online at the link above or... Paste the following line into Start | Run and click OK... %ProgramFiles%\UPHClean\readme.txt SignatureHope this helps. Let us know. Wes MS-MVP Windows Shell/User > Hi Wes, > No 1201, but here's what I do find, and I wonder if this can "identify" [quoted text clipped - 23 lines] >>> responsible for the event in the first place. Is this recorded in a >>> "log" somewhere? Apparently "handle remapping" is the default with version 1.6.30.0. The following, from the Readme, may explain how to discover what program is causing the Userenv "event": By default UPHClean takes action to allow profiles to unload. You can choose to have UPHClean only report what processes it finds preventing profiles from unloading. To do this, install UPHClean and use the registry editor to set: HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY to 1. You can also have UPHClean log the call stack that is responsible for the profile hive handle. This is necessary to find out what software is responsible for the hive handle in processes used for many purposes (e.g. svchost.exe, dllhost.exe, winmgmt.exe). To enable call stack logging use the registry editor to set: HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\CALLSTACK_LOG to 1. Logging the call stack is computationally and memory intensive. You should use this option to collect information and then turn it off. To get more accurate call stack logging it may be necessary to get symbols installed on the computer. You can read about getting symbols at: http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx Do I understand correctly that if I follow these instructions I can learn what program or process is causing the "event"? Is that not the way your version works? If it doesn't do "handle remapping," what does it do? How do YOU learn what program is the culprit? Also, is it significant that I definitely do not notice any improvement in the shutdown time? > Apparently you are using handle remapping. > [quoted text clipped - 66 lines] >>>> responsible for the event in the first place. Is this recorded in a >>>> "log" somewhere? I did the registry changes as indicated, then rebooted. But I am at a loss as to where to find the "log" that I assume should have been created. It is not in the UPHClean folder in Windows/Programs. How, exactly, does this "service" identify what programs, services, or applications are causing the Userenv "event"? > Apparently "handle remapping" is the default with version 1.6.30.0. > The following, from the Readme, may explain how to discover what program [quoted text clipped - 103 lines] >>>>> responsible for the event in the first place. Is this recorded in a >>>>> "log" somewhere? > Is that not the way your version works? If it doesn't do "handle > remapping," what does it do? How do YOU learn what program is the culprit? My version closes the handles on the offending process. I.e. lsass.exe is the culprit that I always see in my Event ID: 1201s. At least the ones that I've bothered to read. ;-) Event Type: Information Event Source: UPHClean Event Category: None Event ID: 1201 Date: 7/30/2005 Time: 10:41:39 PM User: MYPENTIUM450\Wesley P. Vogel Computer: MYPENTIUM450 Description: The following handles in user profile hive MYPENTIUM450\Wesley P. Vogel (S-1-5-21-1708537768-15xxxx6667-1202660629-1003) have been closed because they were preventing the profile from unloading successfully: lsass.exe (436) HKCU (0x3f8) ------ Event Type: Information Event Source: UPHClean Event Category: None Event ID: 1201 Date: 10/22/2005 Time: 3:44:07 PM User: MYPENTIUM450\Wesley P. Vogel Computer: MYPENTIUM450 Description: The following handles in user profile hive MYPENTIUM450\Wesley P. Vogel (S-1-5-21-1708537768-15xxxx667-1202660629-1003) have been closed because they were preventing the profile from unloading successfully: lsass.exe (440) HKCU (0x3c4) ------ For HKCU (0x3f8) & HKCU (0x3c4) HKCU is the HKEY_CURRENT_USER registry hive. (0x3f8) & (0x3c4) must be the memory locations, just a guess. I assume that for lsass.exe (436) & lsass.exe (440), (436) & (440) were the PID #s for lsass.exe on those dates. PID is Process ID or process identifier. These numbers change every time you reboot. I think that they are just an arbitrarily assigned number. Each process has a different number while running. A process can also have a different PID if opened and closed, etc. ------ If HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY is set to 1, UPHClean will NOT take action to allow profiles to unload. All it does is make a log somewhere. Make sure that it is set 0 (zero). I do not know its name or location, but I would guess that it's be in C:\ or C:\WINDOWS or look at C:\WINDOWS\Debug\UserMode\userenv.log userenv.log also seems to list Profile or registry hive load, unload, or deletion failures. I think that you can only get userenv.log with Windows XP Professional because it also reports on Group Policy. SignatureHope this helps. Let us know. Wes MS-MVP Windows Shell/User > Apparently "handle remapping" is the default with version 1.6.30.0. > The following, from the Readme, may explain how to discover what program [quoted text clipped - 61 lines] >> >> UPHClean v1.6d readme.txt http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075a c/readme.txt >> You must have a different version of uphclean than I have. I have v1.5e >> according to my Readme. The Readme that came with my version does not [quoted text clipped - 40 lines] >>>>> responsible for the event in the first place. Is this recorded in a >>>>> "log" somewhere? Does lsass.exe (436) HKCU (0x3f8) give you a clue as to what program is causing the problem that UPHClean is "fixing"? C:\WINDOWS\Debug\UserMode\userenv.log userenv.log is an empty folder. Perhaps you're correct that I can only get such a log from XP Pro, the UPHClean directions to the contrary notwithstanding. I appreciate your attempts to help. >> Is that not the way your version works? If it doesn't do "handle >> remapping," what does it do? How do YOU learn what program is the [quoted text clipped - 183 lines] >>>>>> responsible for the event in the first place. Is this recorded in a >>>>>> "log" somewhere? Lsass.exe is the process or program that causes my problem. I do not understand half of it, a lot relates to networks and servers. I'm sure that there are a half a dozen .dll files involved as well. Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority. It is also called the Local Security Administration Subsystem Service. Lsass.exe seems to have a lot of names. Lsass.exe starts pretty early in the Windows boot process. Lsass.exe runs all of the time and is one of the few processes that cannot be ended with Task Manager. Lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. Lsass.exe is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected Storage (ProtectedStorage) and Security Accounts Manager (SamSs). HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs\Aliases Value Name: lsass Data Type: REG_MULTI_SZ Value Data: protected_storage;netlogon;lsarpc;samr The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR) is an integral subsystem that is used to perform remote Service Account Manager operations, such as user account management and manipulation. The SAMR interface defines the remote Security Account Manager (SAM) methods that are called by the client. Netlogon – Net Logon service Lsarpc – LSA access Samr – SAM access When Windows boots, the MBR(Master Boot Record) reads the boot sector which is the first sector of the active partition. This sector contains the code that starts Ntldr which is the boot strap loader for Windows XP. Ntldr runs Ntdetect.com to get information about installed hardware. Ntldr, then, loads the two files that make up the core of XP: Ntoskrnl.exe and Hal.dll. Ntoskrnl.exe starts Winlogon.exe which starts Lsass.exe (Local Security Administration), this is the program that displays the Welcome screen and allows a user to log on with their credentials (user name and password). SignatureHope this helps. Let us know. Wes MS-MVP Windows Shell/User > Does lsass.exe (436) HKCU (0x3f8) give you a clue as to what program is > causing the problem that UPHClean is "fixing"? [quoted text clipped - 150 lines] >>>> >>>> UPHClean v1.6d readme.txt http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075a c/readme.txt >>>> You must have a different version of uphclean than I have. I have >>>> v1.5e according to my Readme. The Readme that came with my version [quoted text clipped - 40 lines] >>>>>>> was responsible for the event in the first place. Is this recorded >>>>>>> in a "log" somewhere? You've outdone yourself Wes. Your work is greatly appreciated. I take it that you are not particularly concerned to learn what program is causing the Userenv "event." I suspect the AV program. It seems to make sense that it is always on. I also wonder about the cable Internet connection. It isn't a serious problem, however. I used to boast about my fast shut-down times, even with the Userenv event. Since installing and subsequently uninstalling IE7, the shutdown process is much longer. After "Windows is shutting down," there are long seconds in which nothing seems to be happening. No "clicking" or other signs of activity. This even with the UPHClean running. Coincidence? BTW, my boot time is 25 seconds. Shutdown runs between 30 seconds and one minute. Does that sound "normal"? > Lsass.exe is the process or program that causes my problem. I do not > understand half of it, a lot relates to networks and servers. I'm sure [quoted text clipped - 269 lines] >>>>>>>> was responsible for the event in the first place. Is this recorded >>>>>>>> in a "log" somewhere? > I take it that you are not particularly concerned to learn what program is > causing the Userenv "event." I already know what program, lsass.exe is the program. These are usually the only programs running when I shut down: avgamsvr.exe, avgcc.exe, csrss.exe, devldr32.exe, explorer.exe, lsass.exe, services.exe, smss.exe, spoolsv.exe,svchost.exe, svchost.exe, uphclean.exe, vsmon.exe, winlogon.exe and zonealarm.exe. SWAG: IE7 is probably your problem. I see nothing but problems with it. The fact that you uninstalled it does not mean that it hasn't left problems behind. SignatureHope this helps. Let us know. Wes MS-MVP Windows Shell/User > You've outdone yourself Wes. Your work is greatly appreciated. > I take it that you are not particularly concerned to learn what program is [quoted text clipped - 183 lines] >>>>> (e.g. svchost.exe, dllhost.exe, winmgmt.exe). To enable call stack >>>>> logging use the registry editor to set: HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\CALLSTACK_LOG >>>>> to 1. >>>>> [quoted text clipped - 52 lines] >>>>>> >>>>>> UPHClean v1.6d readme.txt http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075a c/readme.txt >>>>>> You must have a different version of uphclean than I have. I have >>>>>> v1.5e according to my Readme. The Readme that came with my version [quoted text clipped - 41 lines] >>>>>>>>> was responsible for the event in the first place. Is this recorded >>>>>>>>> in a "log" somewhere? I always assumed that the program that was causing the Userenv event was an after-market application. I see now that it is one of the Windows normal functions. The first thing I noticed with IE7 was that my HP scanner program would not work. The techs at HP suggested that I roll back to IE6 until they can come up with a patch. From the IE newsgroup, I see lots of people reporting all kinds of problems with version 7. I think I'll wait a while longer before trying it again. Meanwhile, as to how to identify and fix problems that IE7 has "left behind"? I guess if it's no more than a slower shutdown I can just live with it. BTW, I'm not familiar with SWAG. What does that mean? >> I take it that you are not particularly concerned to learn what program >> is [quoted text clipped - 320 lines] >>>>>>>>>> recorded >>>>>>>>>> in a "log" somewhere? <lots snipped> Wesley Vogel wrote: <snipped> > SWAG: IE7 is probably your problem. I see nothing but problems > with it. The fact that you uninstalled it does not mean that it > hasn't left problems behind. <snipped> > BTW, I'm not familiar with SWAG. What does that mean? http://www.acronymfinder.com/af-query.asp?String=exact&Acronym=swag and/or http://www.acronymattic.com/results.aspx?q=SWAG I'll let you guess at which ones might apply... (Hint: It's probably *not* Star Wars Artists Guild... *grin*) SignatureShenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html I'll take a wild "guess." Thanks, Shenan. > <lots snipped> > [quoted text clipped - 15 lines] > I'll let you guess at which ones might apply... > (Hint: It's probably *not* Star Wars Artists Guild... *grin*) > Meanwhile, as to how to identify and fix problems that IE7 has > "left behind"? I guess if it's no more than a slower shutdown I can just > live with it. I have no idea. I never tried IE7. I did, however, try SP2 and the uninstall left some problems, but I go most of those fixed. Been so long ago, I don't even remember what they were. > BTW, I'm not familiar with SWAG. What does that mean? It's a technical term: Silly Wild A** Guess. :-) SignatureHope this helps. Let us know. Wes MS-MVP Windows Shell/User > I always assumed that the program that was causing the Userenv event was > an after-market application. I see now that it is one of the Windows [quoted text clipped - 188 lines] >>>>>> >>>>>> If HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY >>>>>> is set to 1, UPHClean will NOT take action to allow profiles to >>>>>> unload. [quoted text clipped - 27 lines] >>>>>>> profiles from unloading. To do this, install UPHClean and use the >>>>>>> registry editor to set: HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY >>>>>>> to 1. >>>>>>> [quoted text clipped - 63 lines] >>>>>>>> >>>>>>>> UPHClean v1.6d readme.txt http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075a c/readme.txt >>>>>>>> You must have a different version of uphclean than I have. I have >>>>>>>> v1.5e according to my Readme. The Readme that came with my version [quoted text clipped - 43 lines] >>>>>>>>>>> Is this recorded >>>>>>>>>>> in a "log" somewhere? |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.